Account Activity Notification with attached ZIP file contains a trojan
December 21, 2011
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Account Activity Notification 2419060820NJ” – the number and letters will vary.
The email is send from the spoofed address “Account Support” and has the following body:
An Account Activity Notification you created has detected that the
following transaction has posted as of 12/19/11. The detail information
associated with the transaction is as follows:
Transaction Description: Incoming Wire Transfer
Reference Info: 1453328649OS
PLEASE REFER TO ATTACHED FORM FOR MORE DETAILS
CONFIDENTIALITY NOTICE: This electronic mail transmission may contain
legally privileged, confidential information belonging to the sender. The
information is intended only for the use of the individual or entity named
above. If you are not the intended recipient, you are hereby notified that
any disclosure, copying, distribution or taking any action based on the
contents of this electronic mail is strictly prohibited. If you have
received this electronic mail in error, please contact sender and delete
The attached ZIP file has the name Account_Update_Notification_12192011-71714.zip and contains the 210 kB large file Account_Update_Notification_12192011.exe. The filenames will vary with each email.
The trojan is known as Trojan.Win32.Heur.Gen (ByteHero) or PWS-Zbot.gen.ma (McAfee).
At the time of writing, only 2 of the 42 AV engines did detect the trojan at Virus Total.
Virus Total permalink and MD5: 09707085eb9812202ba72a1c6f6c5f4a.